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Abstract — The smart grid is envisioned to significantly en- 
hance the efficiency of energy consumption, by utilizing two-way 
communication channels between consumers and operators. For 
example, operators can opportunistically leverage the delay 
tolerance of energy demands in order to balance the energy 
load over time, and hence, reduce the total operational cost. 
This opportunity, however, comes with security threats, as 
the grid becomes more vulnerable to cyber-attacks. In this 
paper, we study the impact of such malicious cyber-attacks 
on the energy efficiency of the grid in a simplified setup. 
More precisely, we consider a simple model where the energy 
demands of the smart grid consumers are intercepted and 
altered by an active attacker before they arrive at the operator, 
who is equipped with limited intrusion detection capabilities. 
We formulate the resulting optimization problems faced by the 
operator and the attacker and propose several scheduling and 
attack strategies for both parties. Interestingly, our results show 
that, as opposed to facilitating cost reduction in the smart 
grid, increasing the delay tolerance of the energy demands 
potentially allows the attacker to force increased costs on the 
system. This highlights the need for carefully constructed and 
robust intrusion detection mechanisms at the operator. 

I. Introduction 

Over the past few years, the smart grid has received 
considerable momentum, exemplified in several regulatory 
and policy initiatives, and research efforts (see for example 
[1], [2] and the references therein). Such efforts have ad- 
dressed a wide range of topics spanning energy generation, 
transportation and storage technologies, sensing, control and 
prediction, and cyber-security [3]. 

Demand response/load balancing and energy storage are 
two promising directions for enhancing energy efficiency 
in the smart grid. Non-emergency demand response has 
the potential of lowering real-time electricity prices and 
reducing the need for additional energy sources. The basic 
idea is that, by utilizing two-way communication channels, 
the emergency level of each energy demand (at the end-users 
or central distribution stations) is sent to the grid operator 
that, in turn, schedules these demands in a way that flattens 
the load. This potential gain, however, comes at the expense 
of the security threat posed by the vulnerability of the 
communication channels to interception and impersonation. 

This paper is, to the best of our knowledge, the first 
attempt to characterize the impact of cyber-attacks on the 
smart grid, in terms of its energy efficiency. More specif- 
ically, we propose a novel model that captures the above 
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Fig. 1: A system model for a smart grid in the presence of a 
single attacker. The forward channels between the consumers and 
the grid operator are fully compromised by the attacker. (a,d,e) is 
the vector of the start times, deadlines and energy requirements of 
the consumer demands, respectively. 



scenario in the presence of a single attacker. Our model of 
the smart grid, similar to [4], includes a grid operator and n 
consumers that are capable of energy storage, harnessing the 
potential cost savings in the smart grid. Each consumer has a 
single energy demand that includes the amount of energy the 
consumer requests, the service start time, and the deadline 
by which the requested energy should be delivered. The 
consumers send their demands, simultaneously, over separate 
communication channels to the operator. The grid operator 
attempts to schedule these demands so as to balance the 
load across a finite period of time, and hence minimize the 
total cost paid to serve these demands. In our model, we 
also assume the presence of a single attacker who is fully 
capable of intercepting and altering the consumer demands 
before they arrive at the operator, as shown in Figure [T] 
The end goal of the attacker, as opposed to the operator, 
is to maximize the operational cost paid by the system 
for these demands, hence reducing the energy efficiency of 
the system. We differentiate between two scenarios. The 
first corresponds to a naive operator who fully trusts the 
incoming energy demands, whereas in the second, a simple 
intrusion detection mechanism (that will be discussed later) 
is assumed to be deployed by the operator. The attacker's 
desire to remain undetected imposes more limitations on 
its capabilities, and hence, reduces the potential harm. This 
desire can be justified, for example, by considering the long- 
term performance of the grid, i.e., successive instances of the 
problem considered in our model, where in each instance n 
energy demands are issued and altered by an attack. From 
this perspective, one can envision scenarios where the total 
impact of successive attacks is more damaging when the 
attacker remains undetected. 

Based on the aforementioned assumptions, we first for- 
mulate the optimization problems faced by the operator 
and the attacker. For the operator, when being oblivious to 
any attacks, a minimization problem needs to be solved. 
On the other hand, the attacker is aware of the optimal 



strategy employed by the operator, and hence, a maximin 
optimization problem needs to be solved. In our formulation, 
we limit the attack's strength by the number of energy 
demands he is capable of altering, without being detected. 
For the case where the attacker is capable of altering all of 
the consumer's energy demands (the attacks thus reach their 
full potential and force the system to operate at the maximum 
achievable total cost), we show that the attacker's maximin 
problem is reduced to a maximization problem. Our main 
contribution can be summarized as follows. 

• For both the operator and an unlimited attacker, we 
propose optimal offline strategies (Section [ITT|> - The gap 
between the two indicates the maximum damage that an 
attack possibly causes. We also provide efficient online 
strategies for both of them, which are more practical in 
terms of operability and indicate a lower bound on the 
possible damage due to an unlimited attack. 

• For more limited attacks (Section |IV) >, we use a simple 
greedy algorithm to arrive at a lower bound on the re- 
sulting total cost in terms of the flexibility allowed to the 
stealthy attacker for altering the demands. Additionally, 
we provide a Dynamic Programming-based algorithm 
that computes an upper bound on the total cost achieved 
by such attacks. 

• We provide numerical results that support our theoreti- 
cal claims under different scenarios (Section[V]i. In these 
studies, we compare the average system performance in 
the presence/absence of attacks with the expected sys- 
tem performance when the delay tolerance of the jobs 
is not exploited by the operator (resembling the current 
electric gird where the communication infrastructure is 
absent). Moreover, we show the trade-off between the 
strength of the intrusion detection at the operator and 
the reduction in the system's efficiency due to stealthy 
attacks. 

• From our analysis and numerical results, we conclude 
that in the absence of security threats an increase 
in the delay tolerance of the energy demands increases 
the energy efficiency of the system, as expected, since 
the smart grid's operator is offered more scheduling 
opportunities. On the other hand, with a limited defense 
mechanism at the operator, this increase offers a similar 
opportunity to the attacker to force costs even higher 
than those incurred by the regular grid, transposing 
the purpose of the communication capabilities provided 
to the consumers. 

II. Problem Formulation 

In this paper, we consider the control and optimization 
framework first proposed in [4] for the demand side of the 
smart grid. This framework assumes a central controller and 
n energy consumers that send their energy service demands 
to the controller using perfect channels. We consider a 
time-slotted system with this model and add to it a single 
active attacker, that is capable of intercepting and altering 
the consumer demands. Let J = {l,...,n} denote the set 
of energy demands. The energy demand is composed 



of the tuple (aj,dj,ej), where audi £ N + denote the the 
demand's arrival time and deadline, respectively, e ; e M. + 
denotes the requested total energy by the consumer, and 
a\ < ci2 < ... < a n . Each energy demand is sent to the 
controller over a perfect channel that is fully intercepted by 
the attacker. Hence the attacker can substitute each demand 
(aj,dj,ej) by (a'-,d'.,e'-), which are then received by the 
controller. For ease of notation, we define a = [a\,...,a„]. 
a' ,d,d' ,e,e' are defined similarly. 

Upon receiving the n (altered) demands, an admissible 
schedule of these jobs is to be determined by the controller. 
A schedule is admissible if each job is served its requested 
energy upon or after its arrival and before or upon its 
deadline (job preemption is allowed). Letting T ^maxjd'j, 
a schedule is given by S € R + " x7 \ where sp denotes the 
amount of energy allocated to job j in time slot t. Let 
Es(t) be the total energy consumed at time slot t G [0,T] 
under the schedule S, i.e., E$(t) = T,jsJ s jt- Let C(Es(t)) 
denote the cost paid for the total energy consumed at time 
slot t with schedule S, where C : R + —> M. + is assumed to 
be non-decreasing and convex. The convexity assumption 
implies that, as the demand increases, the differential cost 
at the operator increases, i.e., serving each additional unit of 
energy to increasing demand becomes more expensive [4]. 
Accordingly, the controller attempts to find an admissible 
schedule that balances the load over [0, T]. The optimization 
problem at the controller side is then defined as follows: 

T 

C ml> ,(aUV) = min £ C(£ 5 (0) 
s f=i 
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T 

J^sj, =e'p Vj eJ, 
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Sjt = 0, Vf < a'j,t > d'j,Vj G J. (Pmin) 

On the other hand, the attacker attempts to find appropriate 
values of a',d',e' such that the cost achieved by the legit- 
imate controller is maximized, without being detected (see 
Figure [TJ. The intrusion detection capability at the controller 
is modeled as the number of energy demands the attacker is 
capable of altering without being detected. This threshold is 
known a priori to all parties and the attacker solves: 

C>namin(^)^) ^) P) = max C m { n {a ,d ,e ) 

a',d',e',J* 

s.t. a'j,d'jeN + , VjeJ, 

e) = e h VjeJ, 
a': > aj,d'j < dj, V/' G /, 
\J*\<$n, (Pmaxmin) 

where P G M,0 < P < l,$n G N+ and 

J* = {jEJ:dj^aj or d'j^dj}. (1) 

In the above formulation, J* denotes the set of jobs altered 
by the attacker, and p denotes the fraction of jobs that can 
be altered without being detected. The remainder of the 
constraints imply that, if the energy requirement of a job is 



not satisfied or a job is served outside its legitimate service 
duration, the attacker can be easily detected, e.g., by the 
corresponding consumer. Under this formulation, the case 
P = 1 is of special interest to us as Problem ( Pmaxmin i can 
be transformed into a maximization problem. To see this, 
consider any undetectable strategy followed by the attacker 
such that a'j = d'j = tj, for some tj 6 \aj ,dj], for all jobs j G /. 
All such strategies are always feasible to the attacker by our 
assumption of p = 1 and, if employed by the attacker, leave 
no degrees of freedom to the controller. Moreover, due to 
the monotonicity and convexity of C, it is easy to see that it 
suffices for the attacker to consider only this set of strategies. 
Therefore the Problem (Pmaxmin I, under (p = 1), reduces to 
a cost maximization problem which looks for a strategy that 
serves each job in a single feasible time slot. The attacker 
hence solves the following problem: 
T 



is an adapted discrete-time version to that of [5]. Define the 
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We provide efficient offline and online solutions to Prob- 
lems ( |Pmin[ i and ( |Pmax[ i in the next section, and upper 
and lower bounds for Problem ( |Pmaxmin| ) in Section [TV| 
For comparison purposes, we will also consider an inelastic 
scheduling policy for the controller as a baseline, where each 
job is served its total energy immediately upon its arrival. 
This strategy represents the case when the delay tolerance 
of the jobs is not exploited. Therefore, the resulting cost 
resembles that paid in the current regular gird, where no 
communication channels are established, and accordingly, 
the system is not vulnerable to the cyber-attacks discussed 
in this paper. The resulting baseline cost is defined as: 
Cbase(a,d,e) = L ? e[o,r] C {Y,y. aj =t e j] ■ 

Finally, the following definitions are used throughout this 
paper. For each job j G /, define its job allowance to be /; = 
dj-Oj and let l max = max jeJ lj, l min = imaj e jlj, and e max 
max j jc . Denote the set of the endpoints of the job intervals 
by X: = {ai,...,a n }U{di,...,d n } = {l,...,q}. For every 
pair k < I G X, let I(k, I) be the set of all jobs whose intervals 
are entirely contained in [k,l], that is, I(k,l) = {j G J: aj > 
k,dj < I}. 

III. Optimal Strategies and Performance Bounds 

In this section, we first find the optimal scheduling strategy 
for the controller (the solution to Problem ( |Pmin| i). Second, 
we study Problem ( |Pmax[ i and propose both an optimal 
offline attack and a simple online attack and compare their 
performance. Finally, an explicit bound on the impact of an 
attack is presented. 

A. Optimal Scheduling for the Controller 



The optimization problem at the controller (Problem Pmin I 
can be directly mapped to the "minimum-energy CPU 
scheduling problem" studied in [5], Our discussion below 
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and let I*(k*,l*) be the set of jobs that maximizes E(I(k,l)) 
over all k, I G X. It is shown in [5] that the optimal strategy 
schedules a total energy of E(I* (k* ,/*)) in each time slot 
in [Jfc*,/*]. Hence a greedy algorithm that searches for I*, 
schedules the jobs in 7* and then removes those jobs (and 
the corresponding interval) from the problem instance, can 
be used to solve Problem ( |Pmin| i: 

Algorithm 1: Repeat the steps below until J is empty. 

1) Identify I*{k*,l*). Schedule the jobs in I*(k*,l*), such 
that E s (t)=E(I*(k*,l*)), for all t G [**,/*], according 
to the Earliest Deadline First (EDF) policy (which is 
always feasible). 

2) Modify the problem to reflect the deletion of the jobs 
in I*: For all jobs j G J\ I*, if 0/ > k*, set aj <- 
max(fc* — l,a/ — (/* — k*)— 2); modify dj similarly. Set 
J^J\I*. 

The above algorithm arrives at the optimal schedule with 
complexity 0(n 2 ). In our simulations (Section [vj), we also 
compute an upper bound on the solution using an online 
algorithm that simply distributes the energy requirement of 
each job evenly on its service interval [5]. 

B. The Fully-compromised Controller 

We now turn our attention to Problem ( |Pmax[ ) and form 
a graph theoretic version of this problem. This is useful for 
describing the optimal full attack strategy, and for studying 
the impact of more limited attacks. Let G = (V,E) be the 
interval graph induced by the jobs in J, i.e., each vertex 
Vj G V corresponds to a job interval, given by [aj,dj], while 
an edge is thrown between any two vertices iff the two 
corresponding job intervals intersect at one or more time slots 
[6]. We define the corresponding cost function over subsets 
of V as /: 2 V -> R+, given by /(0) = 0,f(S) = C (Ljesej) 
for any SCV. In the induced interval graph, a clique is 
a subset of vertices S C V, such that every two vertices in 
S are connected by an edge. A maximal clique (inclusion- 
wise) is a clique that is not a subset of a larger clique. By 
these definitions, our problem corresponds to finding a clique 
partition of G that maximizes the total cost taken over the 
cliques in this partition, i.e., find 



C max {G) = max £ f(K), 
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where fP(G) is the set of all clique partitions of G. By 
our assumptions on C, the set function / is non-decreasing, 
i.e., f(S) < f(T), whenever S C T C V. Moreover, for every 
S,TCV such that f(S) >f(T), and u G V \ (TUS), we have 
f(S + u)+f(T) > f(S)+f{T + u). By these two properties, 
the optimal clique partition, solving includes a maximal 
clique . In fact, if we let G(I(k,l)) be a subgraph of G re- 
stricted only to the jobs in any I(k,l), then C max (G(I(k,l))) 
is achieved by a partition that contains a maximal clique 
of the subgraph G(I(k,l)) as well. Hence, for any such 



subgraph, each maximal clique contained in the subgraph 
separates the optimization problem into two subproblems 
and a Dynamic Programming algorithm (adapted from [7]) 
solves the problem accordingly. 

Let C(k,l) be the maximum feasible cost that could be 
achieved by scheduling the jobs in I(k,l). Given k < z < I, 
let Ki i be the set of all the jobs whose intervals contain time 
slot z, i.e., t is a maximal clique contained in I(k,l). By 
our discussion, the following recursion clearly holds. 



C(k,l) = max 

ze[k,t\ 




C(k,z-l) + C(z+lJ) 



(4) 



Our algorithm iterates over all intervals [k, 1} , k, I G X, k < I, 
with increasing interval length. In each iteration step, the 
algorithm computes C(k,l), where the last two terms are 
obtained from previous iterations. A formal description of 
this Dynamic Program is now presented. 

Algorithm 2: [7] For all k G X, set the initial condition 



C(k,k) 




(5) 



With increasing subproblem width (I — k), apply the follow- 
ing Dynamic Program: 

1) Solve the optimization Q. Denote the solution by z* ■ 

2) Update the clique partition 



d(k,l) 



0, if I(k,l) =0, 
^Q,(fc,z*-l)U£f*UQXz* + l,Z), °- w - 
The optimal cost is C( 1 , q) and the optimal clique partition 
is Q,(l, <?), which are computed in the final step of the above 
program. From the obtained clique partition, one can easily 
compute a set of time slots, tj,j £ J and set , 



solving Problem (Pmaxi. The obtained schedule leaves no 
degrees of freedom to the controller as, after the attacker's 
modifications, all jobs become virtually urgent to controller 
and must be scheduled immediately upon their arrival. It is 
also clear that, as the jobs' allowance increases, the attacker 
is capable of forming larger cliques and hence imposing 
higher costs on the controller. Our goal in the remainder 
of this section is to formalize this observation. Towards this 
end, we first present a simple online attack where the jobs 
in J are partitioned into cliques according to an EDF policy. 
That is, starting from the earliest deadline, all the jobs that 
arrive before or upon each deadline are grouped in a single 
clique and then removed from the problem instance: 
Algorithm 3: Set i = l,m = 0. Repeat until J is empty: 

1) Set d = vcAnjfzjdj. 

2) Set Ni = {j£ J: aj<d}. 

3) For all G A/,-, set tj = d. 

4) Update J <-J\Ni, m <- m + 1 , i <- i + 1. 

Once the clique partition {7V;},z'G {l,...,m}, has been 
established, the resulting cost is computed as 




(6) 




Fig. 2: A lower bound on C max plotted for various values of n and 
/„„,, under a quadratic cost function (i.e., b = 2). The average 
energy demand is 10 while the average inter-arrival time is 5. 



Our next result shows that, despite its simplicity and online 
operation, Algorithm [3] could still achieve a significant loss 
in the system's efficiency: 

Proposition 1: For C(E) =E b ,b G R,b > 1, Algorithm^ 
has an approximation factor of r: = {'f^] +1. 
Moreover, when C(.) is a power function of the form C(E) = 
E b ,b £R,i)> 1, the simple structure of the online solution 
also allows us to arrive at an explicit lower bound for C max : 

Proposition 2: For C{E) = E b ,b G R,b > 1, 



(7) 



The proofs for both propositions are provided in the Ap- 
pendix. The above result can be used to estimate the growth 
of C max with l m i„. For instance, if we fix the average energy 
demand and the average inter-arrival time to arbitrary values, 
the bound obtained in Proposition [2] versus an increasing 
can be plotted. See Figure [2] for an example. As shown in 
the figure, C max grows at least linearly with /„„■„, and the rate 
of growth increases as the sample size n increases. More 
numerical results are reported in Section [V] 

Our numerical results in Section [V] provide more insights 
on the performance of the online attack. 

IV. Performance Bounds under Limited Attacks 

In this section, we study the case where the attacker is 
capable of changing the arrival times and the deadlines of 
only B = pn jobs. Similar to our argument in Section |llj the 
attacker could only consider the following strategy: Choose 
a set of jobs J* <zJ such that \J* \ = pn, and set a'- = d'j = t* 
for all jobs /' G J* and leave all other jobs unaltered. We 
propose two polynomial time algorithms that render a lower 
and an upper bound, respectively, on the performance due to 
the considered limited attack. For simplicity, we let C max = 

Cmax\P"idi6) and C ma xmin($) — C ma xmin{ a > d, 
A. A lower bound 

Inspired by the standard greedy algorithm for the fractional 
knapsack problem [8], we propose a simple variant that is 
tailored to our problem. In the classical fractional knapsack 
problem, m items are given, each with a weight vt>j and a 
value vi. We need to specify which items to collect such 



that their total weight does not exceed a specified quantity 
(PoL/WnO < p < 1) and their total value is maximized. A 
fraction of any item might be collected, and the correspond- 
ing value is scaled according its chosen weight. The greedy 
algorithm below solves this problem. 
Algorithm 4: Given (vi , wi), . . . , (v m ,w m ) and po 

1) Sort (v,-,w,) according to v,-/w; in a non-increasing 
order. 

2) Choose the first A; pairs, (vi,Wi), . . . , (vk,Wk) s -t- 

k m k+\ m 

< Po^w,', 52 w ' > Po^w;. (8) 

1=1 1=1 1=1 1=1 

The optimal set is the chosen k items in step (2), and a 
fraction of the k + 1-th item as the budget allows. Moreover, 
if we let the remaining weight budget after selecting the 
first k pairs to be pi = (poL"li Wi - E*=i w d / w k+l, by the 
greedy selection, we have 

k m 



(9) 



The proposed attack strategy builds on this algorithm: 
first, the attacker finds the optimal clique partition using 
Algorithm [2] assuming a full budget. Then, it utilizes the 
above algorithm twice; once to choose a set of cliques to 
fully compress (i.e., to collapse the job allowances within 
each clique to one common time slot), and to choose a set 
of jobs within a given clique to fully compress. The choice 
that results in a higher cost is adapted. 
Algorithm 5: 1) Find the optimal clique partition of 
the jobs, K\, . . . ,K m ,l < m < n, using Algorithm [2] 
(assuming a full budget). For each clique K{, set £/ = 
Z jeK .ej mdNi = \Ki\. 

2) Apply Algorithm |4] to the pairs (C(J5j),iVj),l < i < m, 
and p, and pick the resulting k cliques (ignoring the 
fraction generated by the algorithm). Compute the cost 
C\ resulting from fully compressing those k cliques. 

That is, Ci=Ef =1 C(£i). 

3) For the (k+ l)-th clique, apply Algorithm|4]to the pairs 
(ej, l),j G Xjfe+i and p2 : = ^"y ■ Compute the cost C2 
resulting from fully compressing the chosen k' jobs. 
That is, C 2 = c(z!< =1 eX 

4) If C\ > C2, fully compress the jobs in cliques l,...,k. 
Otherwise, fully compress the chosen jobs from clique 
k + l. Set C mi „(p) =max(Ci,C 2 ). 

To get insights on the performance of this attack, suppose 
that, under no budget constraints, the optimal clique partition 
(obtained from Algorithm |2]i is composed of cliques of size 
one. In this case, our greedy attack will choose to fully 
compress the P« jobs of the highest energy demands. This 
guarantees that C maxmin ($) > pC, ;MA . Another extreme case 
is when the optimal clique partition is composed of one 
clique containing the n jobs. Here, our greedy selection 
guarantees that C^^CP) > C(P£ ;&/ e;). When C(.) is a 
power function of the form C(E) = E b ,b G R,b > 1, we then 
get C maxmin {$) > $ b C max - For more general clique partitions, 
these two insights are used to arrive at the achievable bound 
below (the proof is found in the Appendix). 



Proposition 3: For C{E) = E h ,b G R,b > 1, 

P 6 

Qjnaxmin($) — l^Cmax- 



(10) 



B. An upper bound 

In order to compute an upper bound on the system's 
performance, we find the optimal attack strategy under the 
assumption that the controller follows the baseline schedul- 
ing strategy given in Section |7/| We further assume that at 
most one job arrives at any given time slot t G [0,T], Our 
main observation is that, under these assumptions, Problem 
|Pmaxmin| can be solved by a Dynamic Programming al- 
gorithm similar to Algorithm |2l To illustrate, consider the 
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solution to Problem IPmaxminT when the controller follows 
the baseline scheduling strategy. The jobs' schedule under 
this solution is a clique partition of the induced graph G, 
which we denote by fP*(G). Let O denote the set of all the 
cliques of size one in T* (G) and O' — T* (G) \ O. Since at 
most one job can arrive at any time slot, without of loss of 
optimality, we can assume that each clique K G O' contains 
exactly a single job, say ]k, that has an unaltered arrival time. 
The remainder of the jobs would have arrival times altered 
to match that of jk- For instance, we can choose jk as the 
job with latest arrival in clique K. Hence, the budget used to 
form clique K is exactly \K\ — 1. This observation leads to 
the below proposition (the proof is found in the Appendix). 

Proposition 4: Let K\ G O' be the clique containing the 
maximum total energy requirement in O'. If K\ is not a 
maximal clique in G, it can be made maximal by adding 
job(s) only from O. 

The above proposition can be directly applied to any sub- 
graph G(I(k,l)), as defined in Section 
case P = 1, for any such subgraph, each 



Similar to the 
maximal clique 
contained in the subgraph separates the optimization problem 
into two subproblems. Hence, if we dedicate a budget of 
m jobs to any interval [k,l], we can construct a recursion 
that computes C(k,l,m) by parsing for maximal cliques in 
each time slot z G [k,l], investigating all the possibilities of 
using only a budget of i out of m for each found clique. 
We would also exhaust all the possibilities of distributing the 
remaining budget m — i + 1 on the resulting two subproblems 
of any chosen clique, and any chosen budget for that clique. 
By Proposition |4] the constructed recursion indeed holds. A 
Dynamic Program similar to Algorithm [2] is built and the 
results are reported in Section [V] 

V. Numerical Results 

In this section, the job arrivals are simulated as a Poisson 
arrival process with mean 5. All the job allowances are 
independently and identically distributed exponential random 
variables. We use a quadratic cost function C(E) = E in all 
of our simulations. Figure [3] reports our comparison between 
the maximum and the minimum cost caused by an opti- 
mal/online full attack and an optimal/online uncompromised 
controller, for n = 100. The results are obtained by varying 
the job allowance mean and are averaged over 20 trials. 
The amount of energy demands is uniformly distributed 
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Fig. 3: Average total cost for different scheduling strategies versus 
the job allowance mean. The mean interarrival time is 5. 
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Fig. 4: Bounds on the total cost attained by a partial attack with a 
varying P for 50 jobs. 

on [1,5]. As shown, as the job allowance mean increases, 
more flexibility is offered to the uncompromized controller, 
hence enabling further cost reductions. This, however, offers 
a similar opportunity for the attacker to form larger cliques of 
jobs and increase the harm. For instance, a fully unprotected 
controller, on the average, ends up paying 250% of the 
expected baseline cost (700% of the expected minimum 
cost), under an optimal full attack and large-enough time- 
flexibility. Our proposed suboptimal algorithm for the at- 
tacker maintains significant gains over both the baseline 
and minimum costs, even with the increased job allowance 
variance. Figure |4] focuses on the performance of partial 
attacks that were launched using the proposed algorithms 
in Section [IV] In our experiment, the simulation sample 
is composed of 50 jobs. The energy requirements were 
uniformly distributed on [1,20] while the mean job allowance 
was set to 40. The results are averaged over 5 trials. As 
shown, with the increased allowance mean, the obtained 
clique partitions become denser and therefore the bounds 
become tighter. Also, observe that using a simple greedy 
algorithm, the attacker is immediately capable of achieving 
a cost arbitrarily close to Ct, ase f° r our sample, with a chance 
of altering only 5 jobs out of 50. 

Finally, in a more controlled experiment, we have gener- 
ated 50 identical demands, with each requiring a 5 energy 
units and offering an allowance of 50. The interarrival times 
between jobs are all set to one value, denoted by M a in 
Figure [5] M a was set to various values between 1 and 
10, and Qmaxminl^max was computed with varying values 
of p. This enables us to gain more insights on how the 
growth of Cmaxmin, with respect to P, and how this growth 
is affected by the clique densities. As shown in the figure, 
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Fig. 5: Performance of a limited attack with respect to the 
allowed budget fraction P for 50 identical jobs with 
ej — 5,lj = 50. The interarrival times are all set to M a . 

when M a = 1, with our chosen parameters, a single clique 
of jobs could be formed to achieve the maximum cost, 
and hence, in accordance with our theoretical results, the 
attacker could achieve approximately p 2 of the maximum 
achievable cost. As M a increases, the growth of C majcmi „ / C max 
with p approaches a linear trend. The reason is that as M a 
increases, the size of the optimal clique partition of jobs 
increases, having approximately equally sized cliques. Hence 
the maximum cost decreases so does the contribution of each 
clique to the maximum cost. 

VI. Conclusion 

In this paper, we have studied the performance of the 
smart grid, in terms of energy efficiency, in the presence 
of active attacks on the system. When the grid operator is 
fully compromised, we have proposed optimal scheduling 
and undetectable attack strategies. We have derived bounds 
on both the minimum and maximum achievable cost by an 
attacker with low complexity, online algorithms. In addition, 
we gave bounds on the impact of attacks that are limited by 
intrusion detection at the operator. In these limited attacks, 
we have shown that a significant increase in cost could 
still be achieved by a simple greedy algorithm. Overall, 
our theoretical analysis and numerical results show that an 
inelastic utilization of the communication channels in the 
smart grid could result in costs significantly higher than those 
expected for both the smart grid and the current electric 
grid, motivating the need for stronger intrusion detection and 
defense strategies for grid operators. 
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Appendix 

A. Proof of Proposition [7] 

For a given problem instance, J, a,d,e, let the optimal 
partition of the jobs in / be Ki,K2, . . . ,K m * such that 



C max (a,d,e) = £ I e i 
z=l \jeK z , 



(ID 



By our construction of {N,}, i G { 1 , . . . , m}, we have that, for 
all i' > i, all the jobs in Afy have arrived strictly later than 
the earliest deadline of the jobs in N{. Consequently, each 
K z ,z G {1, . . . ,m*} could have a nonempty intersection with 
at most r consecutive sets in the partition {N{}, i G {1, . . . ,m}. 
Letting K(z,i) =K z DNi, we have 

C max (a,d,e) = £ e /)) 

z=i \i=i Wfei) / / 

(a) '»* m / \ * 

< L^L E «y 

z=i '=1 \jeK(z,i) j 

where (a) is obtained by the power mean inequality. 

B. Proof of Proposition [2] 

From Eq([6]l and the power mean inequality, we have 



r 



> c > 



(12) 



We will show that m < n/r + 2, where r = """" , and this 
completes the proof. If r < 1, we are done. Otherwise, it 
suffices to show that m< n/r + 2 for (n/r) G K\ N + . 

In the solution of Algorithm [3] the maximum number of 
cliques of size 1 is \ n/r\, for otherwise, our assumption on 
r is violated. We assume that the number of cliques of size 1 
is \n/r\ — k, k > 0. Hence the summation of the interarrival 
times of those jobs is GE ([»AJ —k)l m i„, if they did not 
include the last arrival in J, and is GE ( \n/r\ — k — 1 ) / min if 
they did. On the other hand, if the number of the remaining 
cliques is strictly larger than k + 2, then necessarily the 
summation of the interarrival times corresponding to those 
cliques is strictly larger than (k+ 1 )/„„■„, if they include the 
last arrival, and strictly larger than (k +1 )/,„,■„ otherwise. 
Combined with the argument above, we find that we can 
have at most k + 2 remaining cliques, and accordingly m < 
[n/r\ +2 < n/r + 2. 



C. Proof of Proposition [3] 

Let Pi = V"-( N i+-+ N k) denote the fraction of budget 
available to clique k+l assuming the first k cliques are fully 
compressed, and p2 = P]^T' 

By the greedy selection of jobs in step (3) of Algorithm [5] 
and (|9]i, we have £*' =1 e } > faE k+1 . Therefore, C 2 > $, E k+v 
Let Cq = C\ +pi£| +1 . Then by the greedy selection of 



cliques in step (2) of Algorithm [5] and (|5J, we have Co 



> 



C, 



We then have 
max(Ci,C2) 



Co 



> 



C 2 



d+Pi4 +1 " C 2 + pi£ 



Rb pb 



k+l 



(«) 
> 



> 



m+i+ViE, 
p ft 



J 2 



b 

k+l 

pr 1 



p^+pi 



p" 



2^P2 



b-1 , 
2 ^ 
6-1 



P 



b-1 



1 



> 



P 



where (a) follows from pi 
Hence C maxmin > R 



< 



p 2 and (b) follows from p 2 > p. 



-C 



2- C > T' 

D. Proof of Proposition |4] 

Assume that K\ is not maximal. Then there exists a job 
j € V \ K\ such that K\ + j is a clique in G. If j is in some 
clique K2 G (9' and a'- 7^ then we can schedule job 7 in 
K\ without affecting the attacker's budget. Moreover, by the 
convexity of C(.), the resulting cost cannot decrease by this 
change. If j is in some clique K2 G O', and a'j = aj, then we 
can schedule all the jobs in clique K\ together with job j, 
and schedule all the jobs in K2 at the latest arrival time of 
the remaining jobs in /f 2 . This leaves the budget unaffected 
and could only increase the total resulting cost. 



